It is possible to construct font files supposed to be loaded by imageloadfont() which trigger OOB reads if the fonts are actually accessed (e.g. by imagechar()). The given test scripts exploits that by triggering the assignment of a zero byte memory allocation to gdFont.data (which is happily accepted by imageloadfont()), and to read beyond this "buffer" when calling imagechar(). So if an application allows to upload arbitrary font files and working with these, it is likely vulnerable.
Created php tracking bugs for this issue:
Affects: fedora-all [bug 2139281]